I've been using the simple method of encrypting swap via cryptsetup and /etc/conf.d/cryptfs for quite a while, and I've had one major gripe with it from the beginning:
Upon each boot, it runs mkswap on the device/partition specified.

No matter how you look at it, this is not desirable behaviour, and is made much worse by the fact that there are no checks performed in the device before running the command.

(Note: for all examples given I'll be using hda2 as the swap partition).

Typical checks such as the swap signature or even the UUID wont work in this case, and the one check that was performed in an alternative method (fdisk -l | grep "hda2") is insufficient (although it's certainly better than nothing).

Anyway, for the most part I was willing to just live with it, but it just dawned on me today that there is a possibly really simple way to do this, as cryptsetup supports setting the dmcrypt mapping up with an offset (in sectors), so by simply using a 1 sector offset we would have 512 bytes of persistent data at the beginning of the partition for checking upon each boot.

For example you could easily run `dd if=/dev/urandom of=/dev/hda2 bs=512 count=1`, then `dd if=/dev/hda2 of=/var/lib/whatever bs=512 count=1`, and then upon each boot compare the first 512 bytes of the swap partition with the contents of /var/lib/whatever, and only run mkswap if they match.

I've had a look at the init script where this happens (/lib/rcscripts/addons/dm-crypt-start.sh, provided by sys-fs/cryptsetup(-luks)), and I think it would be fairly trivial to implement there, however my scripting skills are still somewhat basic and I'm not sure what the best method to proceed would be, which is why I'm posting this so it can be discussed, and hopefully you'll be able to help/advise me.

What I was thinking was adding a new variable to /etc/conf.d/cryptfs for the data to compare the "header" to, the nice thing about that is it will be simple to only perform the check and use an offset with cryptsetup if that variable is defined, making it completely backwards compatible.
It's my goal to come up with something which I can file a bug for, so it could be considered for inclusion in portage.

The two things I'm really unsure about is;
1) What to use for the "header", the random data specified above would probably be the best (also it would be created for you automatically for you if you overwrite the partition with random data first, as you should), or would it be better to use a simple user-defined string?
The variable could be either a string or the path to the "/var/lib/whatever" file, but it only makes sense to implement one method or the other, and I don't know which one would be best.
2) This depends on what's chosen for 1, but how should the comparison be carried out in the script?
This is mostly related to aforementioned lack of skills, but everything I can think of just seems very amateurish and untidy.

So, any thoughts, suggestions, words of encouragement, flames?

Is anyone else actually interested in this, or even using this dmcrypt swap method at all?

Even suggestions for a better topic title would be greatly appreciated, as mine just sucks.

For reference, my original whining about this a couple of months ago, the already mentioned alternative script, and yet another alternative, which seems to re-create the swap on the unencrypted partition upon shutdown, so it can be checked upon the next boot.

Apologies on this being so damn long, I seem to be completely incapable of brief, to-the-point posts.
Need to work on that._________________"You have to invite me in"

Okay, spent a little time on this today and have come up with a fairly simple solution which I'm happy with.

I was thinking about using an md5sum of the first 512 bytes for the check, however the md5sum binary is on /usr, so that wouldn't really work.
Same problem with using cmp to compare with a copy of the first 512 bytes in a file, so unless someone knows of an alternative I think I'm stuck with using a string for the comparison.

Edit: Changed it so that the "-o 1" is added to the cryptsetup options before the existing options, therefore if another -o or --offset is specified in the options in conf.d/cryptfs it won't be overridden by -o 1.
If you specify -o 0, you're on your own. _________________"You have to invite me in"

I like it. If the user has busybox configured with certain features, you can get access to functionality equivalent to cmp through /bin/busybox cmp <file1> <file2>. Unfortunately, the latest version of busybox can be configured to omit cmp, so not all users are guaranteed to have the necessary functionality. A possible invocation (warning: requires GNU bash): /bin/busybox cmp --silent <( /bin/dd < "${source}" 2>/dev/null ) "${header_file}". This will produce no output, but the exit code will be success if the inputs are equal and failure if they are not. Standard error for /bin/dd is redirected to suppress the block count information that it would otherwise produce.